Nginx不允许在带有Magento的uploads目录中执行PHP
我很难让nginx停止在magento安装的上载目录中执行PHP。我尝试了许多指令组合,当*.php在该目录中匹配时,它们应该发送503或类似的指令,但我仍然能够在其中执行php。当然,代码解决方案是防止.php文件被上传,但我不明白如何从nginx的角度防止执行Nginx不允许在带有Magento的uploads目录中执行PHP,php,magento,nginx,centos,Php,Magento,Nginx,Centos,我很难让nginx停止在magento安装的上载目录中执行PHP。我尝试了许多指令组合,当*.php在该目录中匹配时,它们应该发送503或类似的指令,但我仍然能够在其中执行php。当然,代码解决方案是防止.php文件被上传,但我不明白如何从nginx的角度防止执行 map $http_x_ssl_offloaded $fastcgi_https { default off; on on; } server { listen 80; server_
map $http_x_ssl_offloaded $fastcgi_https {
default off;
on on;
}
server {
listen 80;
server_name store.xxxx.com;
root /var/www/store.xxxx.com;
#charset koi8-r;
#access_log /var/log/nginx/store.xxxx.com-access.log main;
access_log /var/log/nginx/store.xxxx.com-access.log;
error_log /var/log/nginx/store.xxxx.com-error.log;
gzip on;
gzip_disable msie6;
gzip_static on;
gzip_comp_level 9;
gzip_proxied any;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
location / {
index index.html index.php;
try_files $uri $uri @handler;
expires 30d; ## Assume all files are cachable
}
## Location for media to prevent execution of php
location ^~ /media/ {}
## These locations would be hidden by .htaccess normally
location ^~ /app/ { deny all; }
location ^~ /includes/ { deny all; }
location ^~ /lib/ { deny all; }
location ^~ /media/downloadable/ { deny all; }
location ^~ /pkginfo/ { deny all; }
location ^~ /report/config.xml { deny all; }
location ^~ /var/ { deny all; }
location /var/export/ { ## Allow admins only to view export folder
auth_basic "Restricted"; ## Message shown in login window
auth_basic_user_file htpasswd; ## See /etc/nginx/htpassword
autoindex on;
}
location /. { ## Disable .htaccess and other hidden files
return 404;
}
location @handler { ## Magento uses a common front handler
rewrite / /index.php;
}
location ~ .php/ { ## Forward paths like /js/index.php/x.js to relevant handler
rewrite ^(.*.php)/ $1 last;
}
# Pass all PHP scripts to the PHP-FPM
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
expires off; ## Do not cache dynamic content
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param MAGE_RUN_CODE en_us;
fastcgi_param MAGE_RUN_TYPE store;
fastcgi_param SSL_OFFLOADED $fastcgi_https;
fastcgi_param HTTPS $fastcgi_https;
fastcgi_read_timeout 6000;
}
location /api {
rewrite ^/api/rest /api.php?type=rest last;
rewrite ^/api/v2_soap /api.php?type=v2_soap last;
rewrite ^/api/soap /api.php?type=soap last;
}
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
# deny running scripts inside writable directories
location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
return 403;
error_page 403 /403_error.html;
}
# caching of files
location ~* \.(ico|pdf|flv)$ {
expires 1y;
}
location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
expires 14d;
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
location ~ /\.ht {
deny all;
}
}
我不太确定,但我认为这不起作用的原因是:
## Location for media to prevent execution of php
location ^~ /media/ {}
…是因为它没有即时效果,编译器会完全优化它。尝试添加到行中:
location ~ [^/]\.php(/|$) {
修复-我忘记了指令是按顺序匹配的,在我的例子中,这些目录在早期被其他规则匹配。一旦我移动了
#deny running scripts in writable directories location~*/(images | cache | media | logs | tmp)/.*。(php | pl | py | jsp | asp | sh | cgi)${返回403 error(page 403 403 error.html;$$.phpmy.php.document.htmllocation ~* /your_directory/.*\.php$ {
return 503;
}